You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@guacamole.apache.org by "Michael Jumper (JIRA)" <ji...@apache.org> on 2018/04/18 17:43:00 UTC

[jira] [Deleted] (GUACAMOLE-548) Guacamole cookie does not contain the 'secure' attribute

     [ https://issues.apache.org/jira/browse/GUACAMOLE-548?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Michael Jumper deleted GUACAMOLE-548:
-------------------------------------


> Guacamole cookie does not contain the 'secure' attribute
> --------------------------------------------------------
>
>                 Key: GUACAMOLE-548
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-548
>             Project: Guacamole
>          Issue Type: Bug
>            Reporter: Ross Golder
>            Priority: Major
>              Labels: security
>
>  
> One of my colleagues is doing a security audit of our internal network services, which includes our Guacamole instance. Using 'Qualsys Freescan' he gets the following error:
> "Cookie Does not contain the 'secure' attribute."
> (see attached screenshots)
> The setup is a Linux VM running the latest (0.9.14) 'guacamole/guacamole' and 'guacamole/cd' containers being an nginx SSL reverse proxy. The nginx configuration is as per the recommended documentation:
>  
>  
> {code:java}
> server {
> listen 443 ssl;
> server_name guacamole.ourdomain.com;
> ssl_certificate /etc/letsencrypt/live/guacamole.ourdomain.com/fullchain.pem;
> ssl_certificate_key /etc/letsencrypt/live/guacamole.ourdomain.com/privkey.pem;
> location = /auth {
> proxy_pass https://...(redacted);
> proxy_pass_request_body off;
> proxy_set_header Content-Length "";
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> }
> location / {
> auth_request /auth;
> proxy_pass http://guacamole-lb:8080/guacamole/;
> proxy_buffering off;
> proxy_http_version 1.1;
> proxy_set_header Host $http_host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Proto $scheme;
> proxy_set_header X-Forwarded-Protocol $scheme;
> proxy_set_header Forwarded proto=$scheme;
> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Connection $http_connection;
> gzip off;
> }
> }
> {code}
>  
> As far as I can see, Guacamole should determine that it's being served via an https connection that it can be configured to generate 'secure' cookie headers. I've tried adding 'X-Forwarded-Proto', 'X-Forwarded-Protocol' and the newer 'Forwarded' headed but the cookies are issues as 'httponly' regardless.
> Please advise.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)